things that catch my interest

Main menu

Post navigation

XorHack v2.0: The Updated PS3 Exploit Toolkit

After using the XorHack for a while I realised it was missing some things so I decided it was time for an update. New syscalls have been added to give finer control over data access, now providing 8, 16, 32 and 64 bit reads and writes. Also some new ioctls were added to provide additional useful functions for your userland code. Lastly new userland applications were added which now give the ability to read, write and execute memory from the command line

Hypervisor Exploit Changes

At the innermost level some more syscalls are now added to the hypervisor when initially exploiting the PS3. These use different syscall numbers to the previous exploit code in order to group them all together rather than scattering them all over the place. This should make keeping track of them easier. There are now nine syscalls added to the PS3 upon exploiting. These are added as syscalls 32 to 40 inclusive. Previously syscalls 16 and 20 were used for 64bit peek and 64bit poke, but these syscalls are no longer setup.

Kernel Module Changes

In the middle level I added interfacing support to the nine new syscalls as well as a new ioctl to let user apps convert lpar addresses to real addresses and yet another to let user apps perform an ioremap on memory. I also fixed the syscall that executes code via a real memory address since previously it wasn’t saving the link register, which is not good.. Lastly I tracked down the problem I was having with calling ioctls from userland code. It turns out there are issues sending ioctls to a 64bit kernel from 32bit userland code. When you send the ioctl from your userland code there is a hidden function that attempts to “make it compatible” before sending it on to the kernel. This was transparently causing some ioctls to not make it to my kernel code. Things like this are why I hate linux hehe. It looked like fixing this was going to require a rebuild of sections of the kernel, so instead I brute force tried all ioctl numbers until I found a nice bunch that made it through ok and settled for using them instead. When sending these ioctls a handle to the XorHack device is used, so I am not too worried about them going astray and wreaking havoc.

User Library changes

Finally the on outermost level I added support for calling the new syscalls to read and write 8, 16, 32, or 64 bits at a time. In doing so I support unaligned addresses without the user having to check or worry about such things. If the address being accessed is aligned it will access it in a single syscall of the specified size. If the address is unaligned it will either use multiple syscalls or a syscall of a larger access size. I also added functions to easily check if the system has been exploited yet, to perform the lpar address to real address translation, io-remapping of addresses and to execute code at a given real address. A new header file xorhack_sc.h was added which contains translations between syscalls as they would be used in kernel mode and the userland interface. I have only done a few here, but it should be enough to follow the pattern and create translations for any other syscalls. If anyone does complete these translations, please send it to me to include in the next version of XorHack.

Sample Application Changes

As well as the above additions and changes to userland code I have added three new command line applications; ps3peek, ps3poke and ps3exec which allow reading, writing and executing of memory. The ps3peek and ps3poke tools work in a similar fashion. Both are able to perform 8bit, 16bit, 32bit and 64bit data accesses and can access multiple amounts of the data size in one call. The ps3peek tool can print data to screen as hex values and ascii characters similar to the display of a hex editor, or be printed as binary data and redirected into a file. The ps3poke tool does not print data to screen but can write data to memory from values passed on the command line or values read from a file.

Here are some examples of what these tools can be used for.

Dumping the hypervisor

This reads 0x10000000 bytes (16MB) of data starting at address zero using a data access size of 8 bytes (64bits) and prints it in binary form which gets redirected into the hvdump.bin file. Note that the 64bit access is used since it requires 8 times less syscalls to get the same amount of information as if we used the default 8bit access.

ps3peek 0 -s 0x1000000 -d 8 -b > hvdump.bin

Reading the status register for spu0

ps3peek 0x20000044024 -d 4

Loading metldr..

Scripts can be written using ps3peek, ps3poke and ps3exec and utilising files to store values between calls. By doing so many tasks can be done such as the setting of the required registers to load metldr.

Everyone loves pictures

The following is a picture taken with my dodgy G1 iPhone camera to show peek and poke in action. One day I will get a decent camera…

@graf:
I couldn’t figure out a automatic way to do the EA/VA/RA translation in IDA and make IDA create proper RTOC reference in the process 6 code. so I made a trick. I extract the process 6 code to binary files per the protectionpage list, then I create new segments in IDA and load those binary files back, with the address set to the EA the code use, ie, the code section is loaded to segment based from 0x80000000, and the data section is loaded to segment based from 0xc0000000. then I apply xorloser’s fix_rtoc_usage routing, with the rtoc I found (0xc00145e8), to code segment. and finally I got the code and data cross referenced. and it’s now very easy to see the code with reference to those interesting strings and the encrypted master key. and finally I am getting to have fun.

My question is:
1. is there any other ways to create proper cross references between code and data in IDA per these discontinuous address pages? together with the RTOC usage fix?
I couldn’t imagine how you did your REs without this kind of trick.

2. for the OPD of process 6, I used a brute force method to locate it (that includes using of my eyes, my fingers, and my brain with headache), that’s not a clever way. Is there any known good method to locate the OPD entries?

Holy shit, guys, please stop flooding this blog, i don’t think xorloser appreciates this He said he doesn’t mind technical conversasions
And if someone has USB Dongle Master Key then just make it public, i don’t mind, maybe then people will stop asking me questions about it

What i don’t understand giuys, why do you need to downgrade your PS3, you won’t be able to play new games with it, and from your posts i understand that is what most of you want to do I need it only to make research, to gain more knowledge about HV So why do you want to downgrade your PS3 so bad ?

We want to downgrade the ps3 so bad because currently, that’s the only firmware where we can jailbreak. Yes, there are compatibility issues but I believe those are being worked on via payloads and such. Also, there are also the homebrew apps which include awesome emulators ^^

Because people have PS3s on 3.42 or 3.50 and want to be able to jailbreak, which as you well know, is for more than just playing games. It’s for homebrew, Linux, and helping to do research like you’re doing.

you are a dickhead !!!!!
e3 card reader now has at least allowed to downgrade free for a few euro,
and what do you do? keep talking about the master key? 3:50?
graf … but go fuck !!!!!!!!!!!!!!!!!!!
not worth anything, you know just talk nonsense, blah blah blah, but you never do shit.
you’re a hacker failed shit !!!!!!!!!!!!!

Alright guys, I’ve waited long enough, I’m uploading my findings, as well as hex files. I’m having trouble getting git to work the way I want it to for the code, but it won’t take me too long to figure this out. You guys have been really positive, and your loyalty will be rewarded very soon!

@Estx congrats if you actually found it. Do yourself a favor and stop reading anything on the internet until you release it. You will only find bashing from non believers. It’s what they do, trolls they are. They did the same when JB was discovered, and stopped after the correct proof.

well i’m not that keen on the masterkey, but i’m interested in how you dumped the hv
did you dump the hv on 3.15 linux?
did you patch “denied by policy” in hv?
or did you use the exploit without running linux?

I know you are impatient to get this USB Dongle Master Key but without my devboard i cannot do much, there are so many guys out there who has already everything to dump USB Dongle Master Key, i gave you the knowledge how to do it so use it Your brain can be a powerful tool guys

i hope this is true and not a fake story …like others have been on psx-scene , if this is correct why dont you release it so other members can flash there ps3 back to 3.40 , theres lots of sticks out there sayin they can downgrade to 3.40 i dont see any point wasting cash untill some one hacks it and release it for free ..ok i know theres a few games that need 3.50 firmware but am sure there will be a patch to sort this problem out so many members can enjoy new release games – so what are you waiting for …release it !!! untill then good luck with your work !!!

Usually I am too lazy to post a comment, but in this case, I’d just like to say that graf_chokolo is one of the few that are acting so correct and in the best way for the ps3 scene! Without claiming of being a god or to say “hey, I can do it, but wait, won’t tell you yet because blahblahblah”. He always shared everything, in a clear way an helping out everyone. My Congratulations for your hard work and for all the support/hopes/idea and presence around the ps3 world, graf! 😉

hmm ETSX posted the master key (which I doubt is the master key) but ESTX is the original finder so is someone spoofing his name in an attempt to get the crowd roaring? Drop these values above into a hex editor and it basically translates to “I love a big penis”

i see ps3key now has a downgrader incoming as well….Seems to me like this “master key” has been known for a while…Instead of collecting the bounty by ps3-hacks they figure they would make more money selling it to the “ps3 jailbreak clones” selfish YES but also genius… so now that these clones are popping up with downgraders why not just release the damn thing already! (I must admit I already jumped on the E3 Band wagon last night but still would be nice to see the open source psgrade released and working) I also read that if E3 Sells as much as they expect that they will ask you Graf to work for them???

I happen to have a ps3 that was interrupted during a firmware update (kids running around and unplugged cord in the middle of update) essentially leaving me with a paper weight. I bought another ps3 but still have the brick, i’m hoping the master key will help me get my fat ps3 paper weight up and running once more!! thanks to all who have given so much of their time to the ps3 scene!!

There are downgrading solutions under $20 already, and it’s also a normal jailbreak solution. X3max has announce a 3.50 JAILBREAK and Downgrader. That means you get 3.50 with jailbreak on psn, playing GT5. =) I myself am more interested in a custom firmware. Has anyone around here tinkered around with the Service Mode? If we can find a way to get it to load a modified PUP (With hacks allowing dev options). I know that the PUP files are encrypted and if even 1 byte changes it is INVALID, but maybe in service mode there are things we haven’t heard of. This might be a stupid question, but since I don’t have a downgrader, is it possible to get into Dev-Service Mode? There has to be some development method hidden that Sony uses to test to ensure a firmware is stable on a retail unit…I wish I had a downgrade dongle to help contribute to the scene the best I can, but bills are killing me right now. I HATE WINTER!

Guys all these downgrade tools and other commercial hacks are nice but only temporary. Sony will be quick to release a 3.51 then a 3.52

It’s Graf’s HV reversing work that will futureproof and really move the scene forward. When all of the secrets of the HV are unlocked, we will have full control of the machine no-matter what Sony throws at its security measures. Similar to the Xbox Jtag Hack.

Please keep it technical, and leave all of the complaints and haters to the other forums. Let graf do his thing and collaborate with other likeminded individuals. Graf shares all of his findings, so no need to push or ask when it will be avail, it will be avail as progress is made.

Thanks for all of your work Graf, it’s been very interestering reads and I wish you all the best on your new hobby. don’t let the kids make it less fun for you.